A smart card, typically a type of chip card, is a plastic card that contains an embedded computer chip–either a memory or microprocessor type–that stores and transacts data. This data is usually associated with either value, information, or both and is stored and processed within the card's chip. The card data is transacted via a reader that is part of a computing system. Systems that are enhanced with smart cards are in use today throughout several key applications, including healthcare, banking, entertainment, and transportation.

Smart cards improve the convenience and security of any transaction. They provide tamper-proof storage of user and account identity. Smart cards also provide vital components of system security for the exchange of data throughout virtually any type of network. They protect against a full range of security threats, from careless storage of user passwords to sophisticated system hacks. The costs to manage password resets for an organization or enterprise are very high, thus making smart cards a cost-effective solution in these environments.

The combination of a smart card and the user’s personal identity number (PIN) provides Two-Factor Authentication, where two items are needed: something physical the user has (a smart card) and something the user knows (a PIN). Since something physical and something non-physical are both required, the result is a much more secure means of authenticating users.

When it comes to the US Government's Department of Defense, the National Institute of Standards and Technology (NIST) responded to Directive HSPD-122 with the Personal Identity Verification (PIV) program, which leverages smart cards to centralize authentication to a single, manageable token that can hold a variety of pertinent information. These smart cards are usually referred to as Common Access Cards or its short acronym of 'CAC' cards.[1]

The CAC, a "smart" card about the size of a credit card, is the standard identification for active-duty military personnel, Selected Reserve, DoD civilian employees, and eligible contractor personnel. It is also the principal card used to enable physical access to buildings and controlled spaces, and it provides access to defense computer networks and systems. The CAC enables the encryption and cryptographic signing of email, facilitates the use of public key infrastructure (PKI) authentication tools, and establishes an authoritative process for the use of identity credentials.[2]

Worldwide, people are now using smart cards for a wide variety of daily tasks, which include: Government / Military Aspects, Healthcare, E-Commerce and Web Site Authentication.

Project

Develop a Personal Identity Verification (PIV) module that could be implemented into the Drupal CMS platform to allow for Smart Card (SC) or US Government Department of Defense Common Access Card (CAC) card log-in and verification to secure websites.

As a bonus, there is an open source Smart Card project (http://www.opensc-project.org/opensc) project that actually has a list of supported / confirmed smart cards, the reader hardware and libraries that can be used for development and testing needs.

There was once sandbox-related activity found here http://drupal.org/sandbox/larquin/1292622, but it seems to have been abandoned. I think it would be a benefit to the Drupal CMS project and community as a whole to have a module of this caliber actually be produced and available.

Profit for Drupal

Allow Drupal CMS and Drupal-derived frameworks to be rapidly deployed in actual healthcare, e-commerce and within government facilities in the United States and throughout the world where secure website authentication needs are necessary.

Allow for other multi-national governments deployment of Drupal CMS be enhanced for providing an added layer of security to the end user visiting and using the site.

Success Criteria

Development of the PIV module.

Setup and configuration of a Linux OS platform running Apache that is configured to support Public Key Infrastructure (PKI). For testing purposes, we will use self-signed CA SSL certificates.

Installation of Drupal CMS and implementation of said PIV module upon secure Apache platform environment.

Creating an account on said Drupal CMS environment and registering the user's SC/CAC with said account.

Once account is confirmed, have the functionality of being presented with the card verification screen when a SC/CAC is inserted and scanned by the reader, user entering the PIN, verification of the PKI certificate on the SC/CAC card against the user's Drupal CMS database profile keys and successfully accessing the website SSL/HTTPS environment.

Test verification. Attempt to login to secure Drupal CMS site using SC/CAC card.

Record demo of actual CAC card use against said proof of concept environment.

User acceptance testing, clean up documentation steps.

Present PIV module to Drupal community.

Biography

Name: Michael Worsham (Swampcritter)

PHP Experience: One year (debug only)

Drupal Experience: Five years (infrastructure/architect support)

Linux Experience: Over fifteen years

Apache Experience: Over fifteen years

MySQL Experience: Ten years

I have over seventeen years of hands-on, technical and team-lead managerial experience. Within the Drupal.org community, I have been usually present in the High-Performance and MySQL groups as these relate to back-end LAMP needs more than the actual PHP programming aspects of Drupal. I have been in the past an active participant for theDrupal.org redesign implementers. As for my actual professional work aspects, when I was with Morris Communications LLC, I was their Senior System Engineer & IT Architect and actually designed and integrated the infrastructure that now known as the Morris SMS platform (solution consists of PressFlow 6, multi-memcached instances, integrated authcache/memcache patch, reverse squid proxies) which they are actively using today for a number of their on-going projects. Today, I support the US Government working on a number of projects supporting the warfighter including the high-profile Veterans Affairs Post 9/11 GI Bill Project.